Network News

X My Profile
View More Activity

Black Hat Talk on Apple Encryption Flaw Pulled

A security researcher who was set to speak at the Black Hat hacker convention in Las Vegas next week on a previously undiscovered flaw in Apple's FileVault encryption system has canceled his talk, citing confidentiality agreements with the Cupertino computer maker.

Charles Edge, a researcher from Georgia, had been slated to discuss his research on a weakness that could be used to defeat FileVault encryption on the Mac. But sometime last week, Black Hat organizers pulled his name and presentation listing from its schedule of talks.

Contacted via cell phone, Edge said he signed confidentiality agreements with Apple, which prevents him from speaking on the topic and from discussing the matter further.

Almost every year, much of the drama leading up to and during Black Hat seems to revolve around talks that are canceled or censored at the last minute for various legal reasons.

At Black Hat 2007, well-known reverse engineering expert Halvar Flake couldn't give his presentation when he was denied entry to the United States because of a mix-up with his visa. At Black Hat D.C. earlier that year, researchers from security service firm IOActive were prevented from presenting research on vulnerabilities they found in RFID technology. And who could forget Mike Lynn's talk at Black Hat 2005, where presentation materials for Lynn's talk on flaws in Cisco's Internet routers were literally ripped out of thousands of books due to legal pressure from Cisco.

Edge should absolutely honor any legal agreements he signed with Apple, which he says is his biggest client. But these kinds of reversals have a funny way of stoking the curiosity of the hacker community, already an inquisitive bunch by nature.

Update, Aug. 2, 2:26 p.m. ET: Looks like yet another talk about Apple security will be canceled at Black Hat this year. Apple has pulled its security engineering team out of a planned public discussion on the company's security practices, which had been set for next week's Black Hat security conference in Las Vegas, according to Computerworld's Robert McMillan.

From that story:

The panel would have been a first for Apple, but the company pulled out of the discussion at the last minute, Black Hat Director Jeff Moss said in an interview Friday.

Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval," he said.

Read more here.

By Brian Krebs  |  July 31, 2008; 9:00 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Senate Approves Bill to Fight Cyber-Crime
Next: Apple Patches DNS Flaw and 16 Other Holes

Comments

How could he even think he could do such a talk if he had signed such agreements?

Posted by: Larry Seltzer | July 31, 2008 9:10 PM | Report abuse

I assume he signed the agreement after he found the flaw and volunteered to talk about Black Hat.

Let's hope Apple does the right thing and fixes the problem--and doesn't just wait for someone else to find and disclose it.

Posted by: MarvinK | July 31, 2008 10:28 PM | Report abuse

curiosities: did Edge have agreements in place before or after he did his research? (he's free to enter into any agreements he wishes to). Did Apple remind Edge of any EULA obligations that they might have pointed out to him?

Was Apple his biggest client after he was slated to speak at Black Hat, or before he started his research?

When are researchers going to start doing daily diffs of the BH site, watching for removals? (or are they already and keeping the resultant insights to themselves?)

How long before someone else recreates the research? (knowing what to look for is most of the battle).

Brian, any answers to the non-rhetorical questions posed would be appreciated.

just curious

Posted by: just curious | August 1, 2008 12:01 AM | Report abuse

Apple released Security Update 2008-005 on July 31, 2008. The issue may have been fixed with this release:
http://support.apple.com/kb/HT2647

Posted by: Ed | August 1, 2008 3:46 AM | Report abuse

I bet he new he would never end up giving the talk but maybe wanted to bring publicity to the Apple vulnerability. Apple is making themselves a fun target because of their pompous better than thou attitude. Serves them right. I imagine it won't be long before the vulnerability is discovered and released to the public.

Maybe they can patch this problem several months from now when they patch the DNS thingy.

Posted by: DT | August 1, 2008 10:12 AM | Report abuse

Oops. Read BK's next article. So they finally got around to the DNS patch.

Posted by: DT | August 1, 2008 10:18 AM | Report abuse

To DT: we don't have a "pompous better than thou" attitude, we have a "pompous holier than thou" attitude.

Get it right.

Posted by: Patrick | August 1, 2008 11:16 AM | Report abuse

I wouldn't say that Apple's attitude is particularly 'pompous'. Their 'I'm a Mac' ads are cute and poke fun at Windows. And yes, a 30 second spot is going to be drastically over-simplified. Any discussion about computer security, especially one comparing Vista to Leopard, would require far more than 30 seconds. I think calling that 'pompous' is being dramatic.

When you refer to Apple's 'pompous better than thou' attitude, I'm guessing that you're actually referring not to the company itself, but to the Apple-fanboys-and-fangirls. They are ravenously crazy and are as much a liability today as they were an asset in the dark years of Apple. When (not if) us Mac-users are finally subjected to a real-world security threat, however, your karmic revenge will be in knowing that NONE of them had any protection in place when it happened. =)

I'd certainly agree that Apple is getting a free ride so far when it comes to their lax response to security problems. Let's hear it for BH (and others) for putting Apple's feet to the fire.

Posted by: AM | August 1, 2008 11:30 AM | Report abuse

Gee, too bad, Brian. You and all your Apple hater friends, especially your Black Hat buddy Maynor, must be raging. But don't worry, with that many haters in one room, I'm sure someone will come up with some way to hate on Apple. Cheer-up!

Posted by: zato | August 1, 2008 7:36 PM | Report abuse

Hi |

Posted by: vagon | August 2, 2008 1:42 PM | Report abuse

The 2008-005 security update did not list any fixes to FileVault encryption. One of the fixes it listed, to the DNS flaw, was implemented only on OS X Server, but not on standard editions of OS X, which are still vulnerable; albeit not in most environments.

Posted by: Ploni Almoni | August 3, 2008 1:47 AM | Report abuse

So wait, the apple panel discussion... it was never accepted?

" That talk had not actually been accepted by conference organizers, but it was the proposal to do the talk that was withdrawn, Moss said. "

Didn't I see this up on the website, on the schedule? I don't recall ever seeing speeches on the schedule and list of speakers that had not actually been accepted.

I can believe that they withdrew (their already accepted speech?), that their marketing department told them nothing came out of the company without their say-so (a common stance). What strikes me as wrong is that the speech was never accepted.

I imagine this point will be more clear once the printed programs have been distributed.

Just Curious

Posted by: Curious | August 3, 2008 4:29 PM | Report abuse

Maybe they have to match trouble to holt these from their server!!
The OSX.LEAP.B virus, read about it here!
http://members.chello.nl/t.emmelot/

Posted by: Tom Emmelot | August 3, 2008 5:11 PM | Report abuse

So that was gone Quick!
Paid my Apple?

Posted by: Tom Emmelot | August 3, 2008 5:19 PM | Report abuse

@Seltzer: obviously because he was hoping A would give the go-ahead.

Posted by: Rick | August 3, 2008 7:45 PM | Report abuse

I've often wondered how these "security researchers" get their money. Now I know: After finding a vulnerability, they just announce they are going to do an expose or Black Hat talk on it, and VOILA! the company with the bug or loophole pays them boatloads of money NOT to disclose it. Brilliant! :-)

Posted by: Bob C. | August 4, 2008 4:37 PM | Report abuse

Posted by: olympic | August 18, 2008 12:53 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company